Cisco ACS - Limit Network Access Profiles to Active Directory User Group?

- A
- aLTeReGo
  
  Contact options for registered users
posted
16 years ago

Sun, Mar 30, 2008 11:28 AM

I'm currently in the process of migrating from Microsoft IAS to Cisco ACS 4.2. I'm currently running an Eval of CSACS v4.2 for Windows in the Lab until I can work out the issues.

So far I've been fairly successful getting user accounts authenticated with active directory credentials using the "Windows Database" external user database. The only problem I've run into is that I can't seem to figure out how to restrict access based on Active Directory group membership.

For instance, in the lab I have a Cisco 3750 switch using RADIUS authentication tied back to the ACS server to control login access. But given my current ACS configuration everyone in the windows domain can login to the switch. How can I restrict that down to just a specific user group in Active Directory?

- A
- alibowl
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Fri, Apr 25, 2008 3:28 PM

I am also having the same issue? did you ever find a solution?

Regards

Ali

- C
- Cen
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Fri, May 9, 2008 3:19 AM

You can do this via Unknown user group mappings. Assuming you've added Windows Database in your ACS in the unknown user policy, do the following:

- go to external user databases, database group mappings

- select windows database

- select your domain. Add a mapping to map from AD group to ACS group, say "Group A"

- Unmapped groups will by default be mapped to the ACS default group.

- In the ACS default group, in group setup, edit the settings so that in the "Per Group Defined Network Access Restrictions" has the following setting: - denied calling/point of access locations - Add the appropriate AAA client to deny (in ths case your switch)

- In the ACS "Group A" (mapped above), in group setup: - allowed calling/point of access locations - add the AAA client to allow